Mt. Gox bitcoin debacle: huge heist or sloppy glitch?

February 28, 2014|Reuters

By Jeremy Wagstaff

SINGAPORE, Feb 28 (Reuters) - Close to half a billiondollars worth of the bitcoin virtual currency has gone missingfrom an exchange in Tokyo - in what is either the bank heist ofthe century or a sloppy glitch, or a combination of the two.

Mark Karpeles, the 28-year-old French CEO of Mt. Gox, whichonce handled around 80 percent of the world's bitcoin trades,filed for bankruptcy at a Tokyo District Court late on Friday.His lawyer said that nearly all the bitcoins in the exchange'spossession - 850,000 of them - were missing. Karpeles blamedhackers.

At current bitcoin rates on other exchanges, that would mean$473 million is lost - around 7 percent of all bitcoins minted.

"If the theft is true," said Campbell Harvey, a professor atDuke University's Fuqua School of Business, "it's the biggestbank heist in history," aside from when Saddam Hussein orderedhis son to withdraw $1 billion from Iraq's central bank in2003.

How this happened remains a mystery. But most observers sayMt. Gox's laxness played a key role in the debacle.

"When I first signed up to it, it was clearly not fit to bea financial services company," said Jon Rushman, who researchesand lectures about bitcoin at England's University of Warwick.But things got better, he said: "It has been a process oflearn-by-doing that they have discovered all sorts of thingsthey should be doing, but were not."

No official explanation has been forthcoming beyond blaminghackers and weaknesses in Mt. Gox's system.

A document circulating on the internet that purports to be acrisis strategy paper prepared on behalf of Mt. Gox blamed thehole on a "malleability-related theft which went unnoticed forseveral years." Mt. Gox has not confirmed the authenticity ofthe document.

The phrase, says Ethan Heilman, a research fellow at BostonUniversity, refers to a bug in the bitcoin process wherebysomeone could trick Mt. Gox into thinking a transaction hadfailed - and therefore keep repeating it.

This, say Heilman and others, could explain thedisappearance of the money - even though the bug has been knownfor a while, and has been fixed on other exchanges.

STRETCHING CREDIBILITY

More problematic is another part of the document's purportedexplanation.

Usually bitcoins' private keys - something similar to apersonal bank PIN code - are stored offline, where hackers can'tget them. This 'cold storage' is unconnected to the online part- the hot wallet. The document says "the cold storage has beenwiped out due to a leak in the hot wallet" - a statement expertssay doesn't make sense.

If true, this suggests the vast majority of Mt. Gox'sbitcoin deposits were leaking out without anyone noticing.

This stretches credibility, says Anthony Hope, who headscompliance for Hong Kong-based bitcoin company MatrixVision.Once Mt. Gox was aware of the malleability bug, why didn't theycheck their cold storage? "This is like someone saying that youput your wine in a cellar to keep cool, then someone tells youthat a particular vintage had loose corks," he said. "You'dpresumably go into the cellar to ensure your bottles were notaffected."

If the bitcoins have been stolen, the thief or thieves wouldhave several options to convert them into cash, said BostonUniversity's Heilman.

They could have used a "mixing service" to mix one group offunds with those of other people. They could also have used aservice like localbitcoins.com to trade bitcoins for cash inperson. "There are many possibilities for cashing out, althoughfencing this many bitcoins would be difficult," he said.

To do that, says Charles McFarland, a research engineer atonline security company McAfee, the thief or thieves would haveto conceal their tracks by spreading the bitcoin around prior tolaundering it into cash.

Trying to do so from a single bitcoin wallet would have beenlike stuffing thousands of socks in a dryer while everyone elseis throwing in only a single pair.

"For this reason it's a safe bet to say the stolen bitcoinsare most likely paid out in numerous wallets so each transactioncan hide among the trees," McFarland said. That, he said, wouldmake it "expensive, if not impossible, to track."

Knowing whether this was theft or negligence, or both, willtake time, and may never happen. U.S. federal prosecutors havesubpoenaed Mt. Gox - and other bitcoin businesses - to seekinformation on a spate of disruptive cyber attacks.

But bitcoin is an unregulated industry, requires notechnical audits or risk management procedures - and offers fewways of prosecuting those who might have acted illegally, saysZennon Kapron, who runs a finance consultancy in Shanghai.

"The unfortunate part is that we may never know exactly howthis happened," he says.